I’ve been trying to learn this properly the past few days and would appreciate it if someone would let me know if I have this right.
A content script can add a function to the page script’s window that will run in the content script’s context but using the argument object passed by the page script’s invocation of it, using something like this.
In the content script:
var con_script = { 'notify' : function( msg ) { console.log( msg ); } };
w = document.defaultView;
w.wrappedJSObject.con_script = cloneInto( con_script, w, { cloneFunctions : true } );
The page script invokes it as:
window.con_script.notify( { 'a' : [ 1, 2] } );
and it runs as if the page script’s object was passed to the content script and run there.
A content script can invoke a function (page_script_func) declared in the page script and pass it an argument object, as follows.
w = document.defaultView;
w.wrappedJSObject.page_script_func( cloneInto( { 'a' : data }, w ) );
and it’ll run as if the content script’s object was passed to the page script and run there.
Being rather new to all of this, it appears that the security maintained is that the content script cannot both add a function to the page script and invoke it with a content script object as an argument, nor add a function to the page script that references the page script’s objects.
For example, according to the above code, the content script could not do this:
w.wrappedJSObject.con_script.notify( cloneInto( { 'a' : data }, w ) ); to run notify in the page script using one of the content script’s own objects.
However, the two pages can communicate and share objects as long as the page script has functions in it to invoke those added by the content script. For example, page_script can use the object passed by the content script’s invocation of it but needs to invoke cons_script.notify to pass back any results desired in the content script’s context.
If you can follow my non-technical novice explanation, would you please let me know if this is an accurate view of this, and if there is a better way of accomplishing the same. Also, is there any risk to the user in employing these methods?
Thank you.